Jump to content


Photo

Vundo.dll + annoying pop-ups


  • This topic is locked This topic is locked
22 replies to this topic

#1 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 22 May 2007 - 03:06 PM

Since just a few days, i've been experiencing my computer running extremely slow all of a sudden, and whenever i start up i get message saying mcaffee has removed the trojan "Vundo.dll". Also, whenever i am connected to the internet pop-ups appear with all kinds of nonsense. i was wondering if this had anything to do with the trojan.

I have downloaded HijackThis and done a scan, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 21:20:48, on 22-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\DfrgNtfs.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Ruben\Bureaublad\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lotro-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\lwopmcqo.dll",realset
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

If anyone could help me remove this trojan and other harmful files from my computer i'd be very grateful, i don't feel like formatting my C: again.

I think i am still in an early stage of the trojan, since i only get 1 or 2 messages a day, and i have not yet experienced any damage to my computer.

Thanks, Ruben

PS: also, i have failing internet connection once every half hour or so. but i have been experiencing this problem some weeks before the trojan infection. although i have had 1 trojan infection before, but that one was succesfully removed and never heard anything from it again. could this be happening because of malware or just because i have a bad internet connection?

Edited by Ssaturos, 22 May 2007 - 03:29 PM.


#2 Eltek

Eltek

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2007 - 02:19 AM

Hi there. I had the same problems and I tried 6 different programs too fix it, but nothing helped until I installed Vundofix. Everything is working fine now. Heres the link to the program :

http://forums.spywar...mp;hl=vundo fix

Regards Andre

#3 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 23 May 2007 - 01:31 PM

Thank you andre, i've downloaded and used vundofix, it found around 9 infected files and has removed all. after that i deleted all my older java versions, i then did another hijackthis scan, here's my new report:

Logfile of HijackThis v1.99.1
Scan saved at 20:16:50, on 23-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ruben\Bureaublad\VundoFix.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lotro-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B444929F-3D60-4397-AF1A-F938EEF50785} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

#4 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,521 posts

Posted 25 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 28 May 2007 - 05:44 AM

Hello Ssaturos,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, letís do this next.

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please reboot your computer normally into Windows, and then please post the ComboFix log and a new HijackThis log.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#6 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 28 May 2007 - 04:25 PM

Thank you.

I have run combofix and here's the logfile:

"Ruben" - 2007-05-28 23:13:59 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Ruben\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-23 19:53 <DIR> d-------- C:\Vundofix
2007-05-23 19:46 <DIR> d-------- C:\VundoFix Backups
2007-05-22 22:10 <DIR> d-------- C:\HJT
2007-05-14 23:25 <DIR> d-------- C:\Creative
2007-05-14 00:49 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-05-14 00:46 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-05-14 00:45 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-05-14 00:43 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-05-14 00:41 3,072 --a------ C:\WINDOWS\CTXFIDUT.DLL
2007-05-14 00:41 24,576 --a------ C:\WINDOWS\INRESDUT.DLL
2007-05-14 00:41 10,752 --a------ C:\WINDOWS\CTDCRDUT.DLL
2007-05-14 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-05-13 15:01 <DIR> d-------- C:\Program Files\QuickTime
2007-05-13 11:06 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-05-13 11:06 840,960 --a------ C:\WINDOWS\system32\drivers\P17.sys
2007-05-13 11:06 53,248 --a------ C:\WINDOWS\system32\P17CPI.dll
2007-05-13 11:06 33,792 -ra------ C:\WINDOWS\system32\a3d.dll
2007-05-13 11:06 20,480 --a--c--- C:\WINDOWS\P17DEF.EXE
2007-05-13 11:06 139,264 --a------ C:\WINDOWS\system32\EAX.DLL
2007-05-13 11:06 136,704 --a------ C:\WINDOWS\system32\P17res.dll
2007-05-13 11:06 11,766 --a--c--- C:\WINDOWS\SETTINGS.REG
2007-05-13 11:05 65,024 --a------ C:\WINDOWS\system32\CTDetres.dll
2007-05-07 21:16 <DIR> d-------- C:\Program Files\Warblade
2007-05-07 11:54 <DIR> d-------- C:\Program Files\MAIET
2007-05-05 16:17 860 --a------ C:\WINDOWS\checkip.dat
2007-05-02 11:26 <DIR> d-------- C:\NVIDIA


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-28 08:38:10 -------- d-----w C:\Program Files\Weather Watcher
2007-05-28 08:33:46 12,338 ----a-w C:\WINDOWS\system32\Tablet.dat
2007-05-27 16:40:38 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-21 20:18:17 -------- d-----w C:\Program Files\Hitman Pro
2007-05-21 20:18:17 -------- d-----w C:\Program Files\FlashGet
2007-05-20 19:57:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-14 17:01:28 -------- d-----w C:\Program Files\LimeWire
2007-05-14 11:20:16 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Creative
2007-05-14 05:38:19 -------- d-----w C:\Program Files\Creative
2007-05-07 19:53:54 -------- d-----w C:\Program Files\GameSpy Arcade
2007-05-02 09:31:38 -------- d-----w C:\Program Files\EA GAMES
2007-04-18 16:15:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 18:18:58 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Windows Desktop Search
2007-04-17 17:57:46 89,132 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-04-17 17:57:46 488,174 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-04-17 17:57:40 -------- d-----w C:\Program Files\Windows Desktop Search
2007-04-13 23:39:42 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Turbine
2007-04-04 16:28:44 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-29 13:46:54 -------- d-----w C:\Program Files\Codemasters
2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:39:10 579,072 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:39:10 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:39:10 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:37:59 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2006-10-11 17:43:51 80 --sh--r C:\WINDOWS\system32\FFC7D5B02C.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9}=C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL [2006-12-19 20:43]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 05:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2005-08-11 20:45]
{B444929F-3D60-4397-AF1A-F938EEF50785}=C:\WINDOWS\system32\mljgh.dll []
{D73F49B1-B51B-4d32-A3B7-BD04B8342F53}=C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL [2006-12-19 20:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 18:51 C:\WINDOWS\system32\P17.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-05-10 17:37]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" []
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"CTHelper"="CTHELPER.EXE" []
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 06:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-04-18 17:12]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2006-02-11 15:06]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SetDefaultMIDI"="MIDIDef.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]

*Newly Created Service* -PROCEXP90

Contents of the 'Scheduled Tasks' folder
2007-05-13 11:50:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-28 08:36:54 C:\WINDOWS\tasks\Scannen op virussen via McAfee.com - Mijn computer (RUBEN-KAMER-Ruben).job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 23:18:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 23:18:58

--- E O F ---

after that i ran hijackthis, here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 23:21:28, on 28-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lotro-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B444929F-3D60-4397-AF1A-F938EEF50785} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe



thanks again for your time!

#7 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 28 May 2007 - 11:09 PM

Hi Ssaturos, :wave:

You’re most welcome, Ssaturos. Glad to be of some help. :)

OK, here’s what we do next.

I notice that you have SpySweeper running. Please disable SpySweeper, as it may hinder the some of the fixes we need to make. You can re-enable it after your system is clean.

To disable SpySweeper Shields:
  • Open it, click -> "Options" over to the left then -> click the "Program" tab -> uncheck "Start Spy Sweeper at Windows startup".
  • Over to the left click "Shields":
    • Click "Internet Explorer" tab and uncheck all items.
    • Click "Windows System" tab and uncheck all items.
    • Click "Hosts File" tab and uncheck all items.
    • Click "Startup Programs" tab and uncheck all items.
  • Close SpySweeper.

NEXT:

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

Morpheus
MorpheusBar


You can replace it with a more reputable P2P program from this page:
http://p2p.malwareremoval.com/


Also, please remove these programs:

Messenger Plus! Live
MessengerPlus! 3


They come bundled with the malware known as Lop/Swizzor.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O2 - BHO: (no name) - {B444929F-3D60-4397-AF1A-F938EEF50785} - C:\WINDOWS\system32\mljgh.dll (file missing)
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please ensure that ComboFix.exe is on your desktop:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:


    File::
    C:\WINDOWS\SETTINGS.REG
    C:\WINDOWS\checkip.dat
    C:\WINDOWS\system32\FFC7D5B02C.dll
    C:\Program Files\goldensun\wpc.exe
    
    Folder::
    C:\Program Files\Messenger Plus! Live
    C:\Program Files\MessengerPlus! 3
    C:\Program Files\MorpheusBar
    C:\Program Files\Morpheus
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • UNCHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
  • Click on "Kaspersky Online Scanner".
  • You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "Next".
  • Now click on "Scan Settings".
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click "OK".
  • Now under select a target to scan:
    • Select "My Computer".
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the "Save Report As" button.
    • In the "File name:" field, type kavscan.
    • In the "Save as type:" field, select "Text file (*.txt)".
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Edited by Sempurna, 28 May 2007 - 11:14 PM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#8 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 31 May 2007 - 10:50 AM

Alright, some steps didn't work that well, i'll list what i've done below:

1. I didn't even know i had spy-sweeper, didn't find it on my pc either, just some left over folders from i think what used to be spy-sweeper. i've deleted those folders and anything else wich related to spy-sweeper.

2. Morpheus: deleted. but morpheusbar i couldn't delete, told me the i should check if the program was running. closed all applications and still wouldn't delete. odd.

MessengerPlus!: is it absolutely necessary to delete this program, i am using it alot and have never found any problems while using it. also i had this program long before i had any virus/malware problems.

3. Ran the hijackthis fix and checked all boxes you noted except for "O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe" . I did this because i know wich program this is, it's a program wich you use to automatically change your wallpaper every time you startup windows. i downloaded this from a trusted source, the nintendo website, and i couldn't imagine there would be malware in that program.

4. Then ran combofix with the wordpad file, but cut out the wallpaperchanger and the 2 messengerplus files for now.

Report:
"Ruben" - 2007-05-31 17:37:01 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Ruben\"
Command switches used :: ""C:\Documents and Settings\Ruben\Bureaublad\ComboFix-Do.txt""


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))


2007-05-30 12:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-30 12:29 <DIR> dr-h----- C:\Documents and Settings\Ruben\Onlangs geopend
2007-05-30 12:29 <DIR> dr-h----- C:\DOCUME~1\Ruben\Onlangs geopend
2007-05-30 12:25 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 23:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 19:53 <DIR> d-------- C:\Vundofix
2007-05-23 19:46 <DIR> d-------- C:\VundoFix Backups
2007-05-22 22:10 <DIR> d-------- C:\HJT
2007-05-14 23:25 <DIR> d-------- C:\Creative
2007-05-14 00:49 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-05-14 00:46 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-05-14 00:45 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-05-14 00:43 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-05-14 00:41 3,072 --a------ C:\WINDOWS\CTXFIDUT.DLL
2007-05-14 00:41 24,576 --a------ C:\WINDOWS\INRESDUT.DLL
2007-05-14 00:41 10,752 --a------ C:\WINDOWS\CTDCRDUT.DLL
2007-05-14 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-05-13 15:01 <DIR> d-------- C:\Program Files\QuickTime
2007-05-13 11:06 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-05-13 11:06 840,960 --a------ C:\WINDOWS\system32\drivers\P17.sys
2007-05-13 11:06 53,248 --a------ C:\WINDOWS\system32\P17CPI.dll
2007-05-13 11:06 33,792 -ra------ C:\WINDOWS\system32\a3d.dll
2007-05-13 11:06 20,480 --a--c--- C:\WINDOWS\P17DEF.EXE
2007-05-13 11:06 139,264 --a------ C:\WINDOWS\system32\EAX.DLL
2007-05-13 11:06 136,704 --a------ C:\WINDOWS\system32\P17res.dll
2007-05-13 11:06 11,766 --a--c--- C:\WINDOWS\SETTINGS.REG
2007-05-13 11:05 65,024 --a------ C:\WINDOWS\system32\CTDetres.dll
2007-05-07 21:16 <DIR> d-------- C:\Program Files\Warblade
2007-05-07 11:54 <DIR> d-------- C:\Program Files\MAIET
2007-05-05 16:17 860 --a------ C:\WINDOWS\checkip.dat
2007-05-02 11:26 <DIR> d-------- C:\NVIDIA
2007-04-17 20:18 <DIR> d-------- C:\DOCUME~1\Ruben\APPLIC~1\Windows Desktop Search
2007-04-17 19:57 <DIR> d-------- C:\Program Files\Windows Desktop Search
2007-04-14 01:39 <DIR> d-------- C:\DOCUME~1\Ruben\APPLIC~1\Turbine


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 15:36:00 -------- d-----w C:\Program Files\Weather Watcher
2007-05-31 14:26:25 12,338 ----a-w C:\WINDOWS\system32\Tablet.dat
2007-05-30 10:08:07 -------- d-----w C:\Program Files\MorpheusBar
2007-05-29 18:10:52 -------- d-----w C:\Program Files\LimeWire
2007-05-27 16:40:38 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-21 20:18:17 -------- d-----w C:\Program Files\Hitman Pro
2007-05-21 20:18:17 -------- d-----w C:\Program Files\FlashGet
2007-05-20 19:57:05 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-14 11:20:16 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Creative
2007-05-14 05:38:19 -------- d-----w C:\Program Files\Creative
2007-05-07 19:53:54 -------- d-----w C:\Program Files\GameSpy Arcade
2007-05-02 09:31:38 -------- d-----w C:\Program Files\EA GAMES
2007-04-18 16:15:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 17:57:46 89,132 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-04-17 17:57:46 488,174 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-04-04 16:28:44 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-29 13:46:54 -------- d-----w C:\Program Files\Codemasters
2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:39:10 579,072 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:39:10 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:39:10 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:37:59 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2006-10-11 17:43:51 80 --sh--r C:\WINDOWS\system32\FFC7D5B02C.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 05:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2005-08-11 20:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 18:51 C:\WINDOWS\system32\P17.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-05-10 17:37]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" []
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"CTHelper"="CTHELPER.EXE" []
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 06:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-04-18 17:12]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2006-02-11 15:06]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SetDefaultMIDI"="MIDIDef.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41cf6f41-ac2e-11da-809f-0014a5019094}]
AutoRun\command- K:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-05-13 11:50:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-31 14:39:23 C:\WINDOWS\tasks\Scannen op virussen via McAfee.com - Mijn computer (RUBEN-KAMER-Ruben).job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 17:40:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-31 17:41:31
C:\ComboFix2.txt ... 2007-05-28 23:18

--- E O F ---

5. I tried to do the kaspercy scan, but my failing internet kept interfering with the scan, so i never got to the end of any scan, it came to about 3/4 max, finding 7-8 virusses and about 30 malware. that's all the info i can provide from the scan.

New hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 17:49:46, on 31-5-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lotro-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Thank you and sorry for not being able to complete all the steps.

#9 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 31 May 2007 - 11:22 PM

Hi Ssaturos, :wave:

You’re most welcome, Ssaturos. Don’t worry if you cannot complete all the steps of the fix. This happens. :)


Morpheus: deleted. but morpheusbar i couldn't delete, told me the i should check if the program was running. closed all applications and still wouldn't delete. odd.

I think that ComboFix would have deleted it. Let’s see if it shows up in the next ComboFix log.


MessengerPlus!: is it absolutely necessary to delete this program, i am using it alot and have never found any problems while using it. also i had this program long before i had any virus/malware problems.

OK, you may keep it on your system, but just be watchful if anything happens. This app is usually bundled with malware. :)


Then ran combofix with the wordpad file, but cut out the wallpaperchanger and the 2 messengerplus files for now.

Can you try it again, but this time using Notepad to copy the script? I don’t think the fix works with Wordpad.


NEXT:

Since Kaspersky couldn’t run to completion, let’s try this standalone scanner.

Download Dr.Web CureIt to the desktop:
http://www.freedrweb.../cureit/?lng=en
  • Double-click the cureit.exe file and allow it to run the "Express Scan".
  • This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives; a red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, click the icon next to the files found: Posted Image
  • Then click the next icon right below and select "Move incurable" as you'll see in next image:

    Posted Image

  • This will move infected/suspicious files to the %userprofile%\DoctorWeb\quarantine folder if they can't be cured (this is in case if we need samples).
  • After selecting, in the Dr.Web CureIt menu on top, click "File" and choose "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv.
  • Close Dr.Web CureIt.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan.
  • The log from the Dr.Web CureIt scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Edited by Sempurna, 31 May 2007 - 11:24 PM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#10 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 03 June 2007 - 05:22 PM

I downloaded CureIt! and ran it, but it didn't find any virusses, here's my Hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 0:21:44, on 4-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lotro-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Thanks!

#11 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 03 June 2007 - 11:33 PM

Hi Ssaturos, :wave:

You're most welcome, Ssaturos. :)

Can you do a new scan with ComboFix and let me see the log it generates, please?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#12 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 04 June 2007 - 08:07 AM

alrighty, here's the combofix log:

"Ruben" - 2007-06-04 13:52:31 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Ruben\Bureaublad\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 ))))))))))))))))))))))))))))))))))


2007-06-04 00:05 <DIR> d-------- C:\Documents and Settings\Ruben\DoctorWeb
2007-06-04 00:05 <DIR> d-------- C:\DOCUME~1\Ruben\DoctorWeb
2007-05-31 18:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-05-30 12:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-30 12:29 <DIR> dr-h----- C:\Documents and Settings\Ruben\Onlangs geopend
2007-05-30 12:29 <DIR> dr-h----- C:\DOCUME~1\Ruben\Onlangs geopend
2007-05-30 12:25 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 23:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 19:53 <DIR> d-------- C:\Vundofix
2007-05-23 19:46 <DIR> d-------- C:\VundoFix Backups
2007-05-22 22:10 <DIR> d-------- C:\HJT
2007-05-14 23:25 <DIR> d-------- C:\Creative
2007-05-14 00:49 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-05-14 00:46 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-05-14 00:45 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-05-14 00:43 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-05-14 00:41 3,072 --a------ C:\WINDOWS\CTXFIDUT.DLL
2007-05-14 00:41 24,576 --a------ C:\WINDOWS\INRESDUT.DLL
2007-05-14 00:41 10,752 --a------ C:\WINDOWS\CTDCRDUT.DLL
2007-05-14 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-05-13 15:01 <DIR> d-------- C:\Program Files\QuickTime
2007-05-13 11:06 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-05-13 11:06 840,960 --a------ C:\WINDOWS\system32\drivers\P17.sys
2007-05-13 11:06 53,248 --a------ C:\WINDOWS\system32\P17CPI.dll
2007-05-13 11:06 33,792 -ra------ C:\WINDOWS\system32\a3d.dll
2007-05-13 11:06 20,480 --a--c--- C:\WINDOWS\P17DEF.EXE
2007-05-13 11:06 139,264 --a------ C:\WINDOWS\system32\EAX.DLL
2007-05-13 11:06 136,704 --a------ C:\WINDOWS\system32\P17res.dll
2007-05-13 11:06 11,766 --a--c--- C:\WINDOWS\SETTINGS.REG
2007-05-13 11:05 65,024 --a------ C:\WINDOWS\system32\CTDetres.dll
2007-05-07 21:16 <DIR> d-------- C:\Program Files\Warblade
2007-05-07 11:54 <DIR> d-------- C:\Program Files\MAIET
2007-05-05 16:17 860 --a------ C:\WINDOWS\checkip.dat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 11:01:02 -------- d-----w C:\Program Files\Weather Watcher
2007-06-04 10:59:05 12,338 ----a-w C:\WINDOWS\system32\Tablet.dat
2007-06-02 16:52:58 -------- d-----w C:\Program Files\LimeWire
2007-05-31 16:56:08 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 16:14:09 -------- d-----w C:\Program Files\Google
2007-05-30 10:08:07 -------- d-----w C:\Program Files\MorpheusBar
2007-05-27 16:40:38 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-21 20:18:17 -------- d-----w C:\Program Files\Hitman Pro
2007-05-21 20:18:17 -------- d-----w C:\Program Files\FlashGet
2007-05-14 11:20:16 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Creative
2007-05-14 05:38:19 -------- d-----w C:\Program Files\Creative
2007-05-07 19:53:54 -------- d-----w C:\Program Files\GameSpy Arcade
2007-05-02 09:31:38 -------- d-----w C:\Program Files\EA GAMES
2007-04-18 16:15:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 18:18:58 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Windows Desktop Search
2007-04-17 17:57:46 89,132 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-04-17 17:57:46 488,174 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-04-17 17:57:40 -------- d-----w C:\Program Files\Windows Desktop Search
2007-04-13 23:39:42 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Turbine
2007-04-04 16:28:44 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:39:10 579,072 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:39:10 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:39:10 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:37:59 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2006-10-11 17:43:51 80 --sh--r C:\WINDOWS\system32\FFC7D5B02C.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 05:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2005-08-11 20:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 18:51 C:\WINDOWS\system32\P17.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-05-10 17:37]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 05:33]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" []
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"CTHelper"="CTHELPER.EXE" []
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 06:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-04-18 17:12]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2006-02-11 15:06]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SetDefaultMIDI"="MIDIDef.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]


Contents of the 'Scheduled Tasks' folder
2007-05-13 11:50:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-04 10:59:35 C:\WINDOWS\tasks\Scannen op virussen via McAfee.com - Mijn computer (RUBEN-KAMER-Ruben).job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-04 13:56:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-04 13:57:01
C:\ComboFix2.txt ... 2007-05-31 17:41
C:\ComboFix3.txt ... 2007-05-28 23:18

--- E O F ---

#13 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 04 June 2007 - 11:21 PM

Hi Ssaturos, :wave:

OK, letís pick up the leftovers.

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

MorpheusBar

You can replace it with one of the more reputable P2P programs found on this page:
http://p2p.malwareremoval.com/


Also, please uninstall Messenger Plus! Live as it usually comes bundled with the malware called Lop/Swizzor.


NEXT:

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following FOLDERS (if they exist):

C:\Program Files\MorpheusBar
C:\Program Files\Messenger Plus! Live


NEXT:

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

    C:\WINDOWS\system32\FFC7D5B02C.dll

  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The report from VirusTotal.
  • A new ComboFix log.
  • A new HijackThis log.
How are things running now? Please let me know about any problems that persist.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#14 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 07 June 2007 - 03:50 PM

I'm sorry for not responding this long, but i've been really busy with school exams and my internet keeps on failing, and that's not helping either. I'll do the scans first thing tomorrow.

#15 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 08 June 2007 - 05:26 PM

Alright, here's the scan, it showed no virusses were found:

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.08.2007 no virus found
AntiVir 7.4.0.32 06.08.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.07.2007 no virus found
AVG 7.5.0.467 06.07.2007 no virus found
BitDefender 7.2 06.08.2007 no virus found
CAT-QuickHeal 9.00 06.08.2007 no virus found
ClamAV devel-20070416 06.08.2007 no virus found
DrWeb 4.33 06.08.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3703 06.08.2007 no virus found
Ewido 4.0 06.08.2007 no virus found
FileAdvisor 1 06.08.2007 no virus found
Fortinet 2.85.0.0 06.08.2007 no virus foun

although when i was gone, macaffee ran a scan like it does on every friday, and found 2 vundo files in the vundofix/backups folder, this is normal?

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 0:18:11, on 9-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\vsnpstd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lotro-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Combofix:

"Ruben" - 2007-06-09 0:18:40 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Ruben\Bureaublad\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 ))))))))))))))))))))))))))))))))))


2007-06-04 15:22 <DIR> d-------- C:\DOCUME~1\Ruben\APPLIC~1\SecondLife
2007-06-04 15:21 <DIR> d-------- C:\Program Files\SecondLife
2007-06-04 00:05 <DIR> d-------- C:\Documents and Settings\Ruben\DoctorWeb
2007-06-04 00:05 <DIR> d-------- C:\DOCUME~1\Ruben\DoctorWeb
2007-05-31 18:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-05-30 12:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-30 12:29 <DIR> dr-h----- C:\Documents and Settings\Ruben\Onlangs geopend
2007-05-30 12:29 <DIR> dr-h----- C:\DOCUME~1\Ruben\Onlangs geopend
2007-05-30 12:25 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 23:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 19:53 <DIR> d-------- C:\Vundofix
2007-05-23 19:46 <DIR> d-------- C:\VundoFix Backups
2007-05-22 22:10 <DIR> d-------- C:\HJT
2007-05-14 23:25 <DIR> d-------- C:\Creative
2007-05-14 00:49 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-05-14 00:46 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-05-14 00:45 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-05-14 00:43 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-05-14 00:41 3,072 --a------ C:\WINDOWS\CTXFIDUT.DLL
2007-05-14 00:41 24,576 --a------ C:\WINDOWS\INRESDUT.DLL
2007-05-14 00:41 10,752 --a------ C:\WINDOWS\CTDCRDUT.DLL
2007-05-14 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-05-13 15:01 <DIR> d-------- C:\Program Files\QuickTime
2007-05-13 11:06 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-05-13 11:06 840,960 --a------ C:\WINDOWS\system32\drivers\P17.sys
2007-05-13 11:06 53,248 --a------ C:\WINDOWS\system32\P17CPI.dll
2007-05-13 11:06 33,792 -ra------ C:\WINDOWS\system32\a3d.dll
2007-05-13 11:06 20,480 --a--c--- C:\WINDOWS\P17DEF.EXE
2007-05-13 11:06 139,264 --a------ C:\WINDOWS\system32\EAX.DLL
2007-05-13 11:06 136,704 --a------ C:\WINDOWS\system32\P17res.dll
2007-05-13 11:06 11,766 --a--c--- C:\WINDOWS\SETTINGS.REG
2007-05-13 11:05 65,024 --a------ C:\WINDOWS\system32\CTDetres.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 14:33:57 -------- d-----w C:\Program Files\Weather Watcher
2007-06-08 14:27:26 12,338 ----a-w C:\WINDOWS\system32\Tablet.dat
2007-06-05 14:13:26 -------- d-----w C:\Program Files\MorpheusBar
2007-06-02 16:52:58 -------- d-----w C:\Program Files\LimeWire
2007-05-31 16:56:08 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 16:14:09 -------- d-----w C:\Program Files\Google
2007-05-27 16:40:38 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-05-21 20:18:17 -------- d-----w C:\Program Files\Hitman Pro
2007-05-21 20:18:17 -------- d-----w C:\Program Files\FlashGet
2007-05-14 18:17:28 860 ----a-w C:\WINDOWS\checkip.dat
2007-05-14 11:20:16 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Creative
2007-05-14 05:38:19 -------- d-----w C:\Program Files\Creative
2007-05-07 23:56:50 -------- d-----w C:\Program Files\Warblade
2007-05-07 19:53:54 -------- d-----w C:\Program Files\GameSpy Arcade
2007-05-07 09:54:48 -------- d-----w C:\Program Files\MAIET
2007-05-02 09:31:38 -------- d-----w C:\Program Files\EA GAMES
2007-04-18 16:15:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 18:18:58 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Windows Desktop Search
2007-04-17 17:57:46 89,132 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-04-17 17:57:46 488,174 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-04-17 17:57:40 -------- d-----w C:\Program Files\Windows Desktop Search
2007-04-13 23:39:42 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Turbine
2007-04-04 16:28:44 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2006-10-11 17:43:51 80 --sh--r C:\WINDOWS\system32\FFC7D5B02C.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 05:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2005-08-11 20:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 18:51 C:\WINDOWS\system32\P17.DLL]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" []
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"CTHelper"="CTHELPER.EXE" []
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 06:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-04-18 17:12]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2006-02-11 15:06]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SetDefaultMIDI"="MIDIDef.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]


Contents of the 'Scheduled Tasks' folder
2007-05-13 11:50:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-08 22:16:04 C:\WINDOWS\tasks\Scannen op virussen via McAfee.com - Mijn computer (RUBEN-KAMER-Ruben).job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 00:23:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-06-09 0:25:11
C:\ComboFix2.txt ... 2007-06-04 13:57
C:\ComboFix3.txt ... 2007-05-31 17:41

--- E O F ---

hope you'll forgive me for the long waiting time ;)

#16 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 09 June 2007 - 01:24 AM

Hi Ssaturos, :wave:

No worries, weíre always here when you do get back. :)

although when i was gone, macaffee ran a scan like it does on every friday, and found 2 vundo files in the vundofix/backups folder, this is normal?

Yes, that is normal. Those malware files would be in the VundoFix quarantine folder, and are neutralized. But, McAfee would pick up on the malware signatures and flag them. :)

I notice that youíve decided to retain Morpheus and Messenger Plus on your system. That is entirely up to you to keep them on your system, as long as you know the risks involved. :)

Just some loose ends to tie up, and then we can let you go home. :)

Please uninstall any older versions of Sun Java that may be on your system. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components:
  • Please go to Start -> Control Panel -> Add/Remove Programs.
  • If you have older versions listed, please uninstall them. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
  • Examples of older versions in Add/Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
    • Java™ SE Runtime Environment 6
  • Please reboot your system after uninstalling any older versions of Java.

NEXT:

Everything looks great --- your HijackThis log appears to be clean. :)

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.

  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Test your Firewall and make sure it is working properly.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you do decide to install Firefox, please take a moment to read Switching from IE to Firefox.

  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!

  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!

  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!

  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!

  • I suggest that you download one or two of these FREE and good anti-trojan programs to use for ad-hoc scanning on your system:
    a-squared Free
    AVG Anti-Spyware Free
    AVZ Antiviral Toolkit
    SUPERAntiSpyware


  • I would also suggest you perform an online virus scan once in a while because what one virus scanner can't find, another one maybe can:
    BitDefender Online Scanner
    F-Secure Online Scanner
    Panda ActiveScan
    Dr.Web CureIt <-- This is not really an online scanner, as it is a standalone utility. You need to download a new copy for updated virus definitions, but it can be run in Safe Mode, unlike the online scanners above.
Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#17 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 11 June 2007 - 02:51 PM

Actually i decided to keep messengerplus!live, but tried to get rid of morpheusbar. could you help me get rid of morpheusbar, seems it won't be deleted that easily, there's some .dll s in the folder too.

#18 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 12 June 2007 - 12:50 AM

Hi Ssaturos, :wave:

Try uninstalling MorpheusBar via Add/Remove Programs.

If that didn’t work, let’s try this next.

For this next step, please delete your current copy of ComboFix-Do.txt as we shall be creating a new one:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "Folder::")


    Folder::
    C:\Program Files\MorpheusBar
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Edited by Sempurna, 12 June 2007 - 12:51 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#19 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 12 June 2007 - 03:30 PM

Done, Combofix log:

"Ruben" - 2007-06-12 22:22:26 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Ruben\"
Command switches used :: ""C:\Documents and Settings\Ruben\Bureaublad\ComboFix-Do.txt""


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\Program Files\MorpheusBar\bar\1.bin\M0PLUGIN.DLL"
"C:\Program Files\MorpheusBar\bar\1.bin\M0POPSWT.DLL"
"C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL"
"C:\Program Files\MorpheusBar\bar\Cache\0005D4EB"
"C:\Program Files\MorpheusBar\bar\Cache\01076273.bin"
"C:\Program Files\MorpheusBar\bar\Cache\0107660D.bin"
"C:\Program Files\MorpheusBar\bar\Cache\0107688E.bin"
"C:\Program Files\MorpheusBar\bar\Cache\01076AE0.bin"
"C:\Program Files\MorpheusBar\bar\Cache\01076D8F.bin"
"C:\Program Files\MorpheusBar\bar\Cache\01076F54.bin"
"C:\Program Files\MorpheusBar\bar\Cache\files.ini"
"C:\Program Files\MorpheusBar\bar\History\search2"
"C:\Program Files\MorpheusBar\bar\Settings\prevcfg2.htm"
"C:\Program Files\MorpheusBar"


((((((((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 ))))))))))))))))))))))))))))))))))


2007-06-11 14:56 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Bureaublad
2007-06-10 16:56 <DIR> d-------- C:\Program Files\Windows Live
2007-06-04 15:22 <DIR> d-------- C:\DOCUME~1\Ruben\APPLIC~1\SecondLife
2007-06-04 15:21 <DIR> d-------- C:\Program Files\SecondLife
2007-06-04 00:05 <DIR> d-------- C:\Documents and Settings\Ruben\DoctorWeb
2007-06-04 00:05 <DIR> d-------- C:\DOCUME~1\Ruben\DoctorWeb
2007-05-31 18:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-05-30 12:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-05-30 12:29 <DIR> dr-h----- C:\Documents and Settings\Ruben\Onlangs geopend
2007-05-30 12:29 <DIR> dr-h----- C:\DOCUME~1\Ruben\Onlangs geopend
2007-05-30 12:25 <DIR> d-------- C:\Program Files\CCleaner
2007-05-28 23:18 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-23 19:53 <DIR> d-------- C:\Vundofix
2007-05-23 19:46 <DIR> d-------- C:\VundoFix Backups
2007-05-22 22:10 <DIR> d-------- C:\HJT
2007-05-14 23:25 <DIR> d-------- C:\Creative
2007-05-14 00:49 41,984 --------- C:\WINDOWS\Ctregrun.exe
2007-05-14 00:46 <DIR> d-------- C:\Program Files\Common Files\Creative
2007-05-14 00:45 <DIR> d--h----- C:\Program Files\Creative Installation Information
2007-05-14 00:43 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-05-14 00:41 3,072 --a------ C:\WINDOWS\CTXFIDUT.DLL
2007-05-14 00:41 24,576 --a------ C:\WINDOWS\INRESDUT.DLL
2007-05-14 00:41 10,752 --a------ C:\WINDOWS\CTDCRDUT.DLL
2007-05-14 00:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Creative
2007-05-13 15:01 <DIR> d-------- C:\Program Files\QuickTime
2007-05-13 11:06 86,016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-05-13 11:06 840,960 --a------ C:\WINDOWS\system32\drivers\P17.sys
2007-05-13 11:06 53,248 --a------ C:\WINDOWS\system32\P17CPI.dll
2007-05-13 11:06 33,792 -ra------ C:\WINDOWS\system32\a3d.dll
2007-05-13 11:06 20,480 --a--c--- C:\WINDOWS\P17DEF.EXE
2007-05-13 11:06 139,264 --a------ C:\WINDOWS\system32\EAX.DLL
2007-05-13 11:06 136,704 --a------ C:\WINDOWS\system32\P17res.dll
2007-05-13 11:06 11,766 --a--c--- C:\WINDOWS\SETTINGS.REG
2007-05-13 11:05 65,024 --a------ C:\WINDOWS\system32\CTDetres.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-12 16:53:30 -------- d-----w C:\Program Files\Weather Watcher
2007-06-12 14:10:11 12,338 ----a-w C:\WINDOWS\system32\Tablet.dat
2007-06-10 14:56:16 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-06-10 14:56:15 -------- d-----w C:\Program Files\MSN Messenger
2007-06-02 16:52:58 -------- d-----w C:\Program Files\LimeWire
2007-05-31 16:56:08 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 16:14:09 -------- d-----w C:\Program Files\Google
2007-05-21 20:18:17 -------- d-----w C:\Program Files\Hitman Pro
2007-05-21 20:18:17 -------- d-----w C:\Program Files\FlashGet
2007-05-14 18:17:28 860 ----a-w C:\WINDOWS\checkip.dat
2007-05-14 11:20:16 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Creative
2007-05-14 05:38:19 -------- d-----w C:\Program Files\Creative
2007-05-07 23:56:50 -------- d-----w C:\Program Files\Warblade
2007-05-07 19:53:54 -------- d-----w C:\Program Files\GameSpy Arcade
2007-05-07 09:54:48 -------- d-----w C:\Program Files\MAIET
2007-05-02 09:31:38 -------- d-----w C:\Program Files\EA GAMES
2007-04-18 16:15:26 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 18:18:58 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Windows Desktop Search
2007-04-17 17:57:46 89,132 ----a-w C:\WINDOWS\system32\perfc013.dat
2007-04-17 17:57:46 488,174 ----a-w C:\WINDOWS\system32\perfh013.dat
2007-04-17 17:57:40 -------- d-----w C:\Program Files\Windows Desktop Search
2007-04-13 23:39:42 -------- d-----w C:\DOCUME~1\Ruben\APPLIC~1\Turbine
2007-04-04 16:28:44 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-03-17 13:45:54 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2006-10-11 17:43:51 80 --sh--r C:\WINDOWS\system32\FFC7D5B02C.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2005-05-31 05:33]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2005-08-11 20:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 18:51 C:\WINDOWS\system32\P17.DLL]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 18:18]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 19:29]
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 02:02]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 13:49]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-11-11 18:00]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 23:02]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"SigmatelSysTrayApp"="stsystra.exe" []
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 03:43]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 20:05]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-13 14:11]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 18:07]
"CTHelper"="CTHELPER.EXE" []
"CTxfiHlp"="CTXFIHLP.EXE" [2006-05-24 06:20 C:\WINDOWS\system32\CTXFIHLP.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2006-04-18 17:12]
"WeatherWatcher"="C:\Program Files\Weather Watcher\ww.exe" [2006-02-11 15:06]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"SetDefaultMIDI"="MIDIDef.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 15:39]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41cf6f41-ac2e-11da-809f-0014a5019094}]
AutoRun\command- K:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-05-13 11:50:06 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-12 16:52:18 C:\WINDOWS\tasks\Scannen op virussen via McAfee.com - Mijn computer (RUBEN-KAMER-Ruben).job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 22:26:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-12 22:27:41
C:\ComboFix-quarantined-files.txt ... 2007-06-12 22:27
C:\ComboFix2.txt ... 2007-06-09 00:25
C:\ComboFix3.txt ... 2007-06-04 13:57

--- E O F ---


HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 22:29:55, on 12-6-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\DAEMON Tools\daemon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Tablet\TabUserW.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lotro-europe.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Startup: Wallpaper kiezer.lnk = C:\Program Files\goldensun\wpc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Tablet.lnk = C:\Program Files\Tablet\TabUserW.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

hope it's gone now ^^

#20 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 12 June 2007 - 11:57 PM

Hi Ssaturos, :wave:

Yep, it's gone. :)

Any persistent problem or suspicious behaviour on your machine that I should know about?

How are things running now?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#21 Ssaturos

Ssaturos

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 15 June 2007 - 08:58 AM

everything's smooth now =] All i've gotta do now is get my internet back up and i'll be able to use my pc again :p Thanks a lot for helping me!

#22 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 15 June 2007 - 09:59 AM

You're most welcome, Ssaturos. :)

Have a great weekend! :wave;
~ Sempurna
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#23 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 July 2007 - 07:36 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button